PSIRT Advisories

FortiSOAR - Server-side Template Injection in playbook execution


An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

Affected Products

FortiSOAR version 7.3.0 through 7.3.1


Please upgrade to FortiSOAR version 7.4.0 or above
Please upgrade to FortiSOAR version 7.3.2 or above


Internally discovered and reported by Boumediene Kaddour from System and Sales Team


2023-04-04: Initial publication
2023-04-12: Update Solutions and Acknowledgement